Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traffic not blocked if service not running #1183

Open
voidray opened this issue Sep 7, 2024 · 5 comments
Open

Traffic not blocked if service not running #1183

voidray opened this issue Sep 7, 2024 · 5 comments
Labels
feature a whole new feature

Comments

@voidray
Copy link

voidray commented Sep 7, 2024
edited
Loading

Not sure if this is a bug, but I want to block all connections if the service is not running.
I set "DefaultAction": "deny" in /etc/opensnitchd/default-config.json, but this is only applied if the service is running.
I would like to have aynthing blocked and then decide what to allow (whitelist). Ideally in the UI I can see what is necessary.
The same question was asked here #884, but the issue was closed.

Ideally the service wouldn't be needed and the ui would just define the rules. This is how for example SimpleWall works on Windows, where the Windows internal firewall is used. I don't know the internals of OpenSnitch and the firewall concept in Linux to be able to say if that is possible in Linux.
@voidray voidray added the feature a whole new feature label Sep 7, 2024
@gustavo-iniguez-goya
Copy link
Collaborator

Hi @voidray ,

The main component of OpenSnitch is the daemon, the GUI is just a frontend to control the daemon. All the functionality is implemented in the daemon.

I would like to have aynthing blocked and then decide what to allow (whitelist).

You can change the DefaultAction to 'deny', well from the GUI (Preferences->Nodes) or well from the configuration: /etc/opensnichd/default-config.json

If the GUI is running, you'll be prompted to allow/deny outbound connections. If it's not running, all outbound connections should be denied.

@voidray
Copy link
Author

voidray commented Sep 17, 2024

If the daemon is not running outbound connections are not blocked, that is what my problem is.

@gustavo-iniguez-goya
Copy link
Collaborator

ok, but why is it not running? please, post the log /var/log/opensnitchd.log and the output of sudo systemctl status opensnitch

By the way, what distro and opensnitch version are you running?

Also it'll be useful launching it manually to see what's going on:

first be sure that it's not running: $ pgrep opensnitch (nothing should be printed)

then launch it as root:

~ $ sudo su
~ # /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/

@voidray
Copy link
Author

voidray commented Sep 17, 2024

To quote from the linked ticket "If the app crashes or even from a delay in launching at boot, all apps are allowed internet access until opensnitch is opened again, which could open up security issues."
I'm evaluating OpenSnitch and having to relay on a running service for security is problematic. Besides the mentioned reasons in the references ticket, there also could be for example a installation of a new version during which all traffic would be allowed.

@gustavo-iniguez-goya
Copy link
Collaborator

hmm, there could be an option to block all traffic if the daemon is not running under this item

opensnitch/daemon/default-config.json

Line 18 in 14747a0

"FwOptions": {

either by adding a fw rule to block outbound connections, or a module.

For now the service must be running to block outbound connections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature a whole new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@voidray @gustavo-iniguez-goya